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Amendments to the Clatitis 
Claim 1 (currently anieaded): A computer program product for enabling an identity change 
during a certificale^l>ased host access session, said computer program product embodied on a 

3 computer-readable medium and comprising: 

4 computer-readable program code means for processing a first sign-on during a secure 

5 session using a digital certificate, fiirther comprising: 

6 computer-readable program code means for establishing said secure session from 

7 a client machine to a server machine using said digital certificate, wherein said digital certificate 

8 represents an identity of said client machine or a user thereof; 

9 computer-readable program code means for storing sard digital certificate or a 
reference thereto at said server machine; 

^ ^ computer-readable program code means for establishing a session from said 

1 2 server machine to a host system using a legacy host communication protocol, responsive to 

1 3 receiving, at said server machine, a first sign-on request from said client machine, wherein said 

14 first sign-on request identifies a first secure legacy host application to which said first sign-on ts 

1 5 requested; 

computer-readable program code means for passing safd stored digital certificate 
or said reference from said server machine to a host access security system; 

computer-readable program code means, operable in said host access security 
1 9 system, for authenticating said identity using said passed digital certificate or a i^eved 
2 0 certificate which is retrieved using said reference; 

computer-readable program code means, operable in said host access security 
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22 system, for using said passed or retrieved digital certificate to locate access credentials for said 

23 user, 

^ ^ computer-readable prograra code means, operable in said host access secuiity 

2 5 system, for accessing a stored password or generating a password substitute representing said 
26 located credentials; 

^ ^ computer-readable program code means, operable in said host access security 

2 8 system, for returning said stored password or generated password substitute to said server 
2 9 machine, along with a first user identifier corresponding to said located credentials; 

c pCTUter-teadable program code means for requesting bv said first secure legacy 

31 host application, responsive to said computer-readable nropr a m code means for establishinp 

32 session, first sign-on in foimation for said user: and 

computer-readable propram code means for resp ondi ng to said requ est for first 
sipn-on jnfcynnation by sending a first sit m -on message with placeholder syntax (tnm said cHent 
machine to said server ma cbine, said p lacehol d er syntax renresectting a user identification nnH r 
Rasgword of said user, wfaeyei n said user identification and said password are expected in smd 
fitSt sign-on message bv said first secure legacy host application: and 
^ ^ computer-readable program code means, operable in said server machine, for 

3 9 using said returned password or password substitute and said returned first user identifier to 

4 0 transparently complete said first sign^on, on behalf of said user of said client machine, to said 
4 1 first secure legacy Host application executing at said host system by substituting said rgfiimed 

first user identifier and said yetumed password or nas.sword suh^rritirtP fo r said nlacehnlH^ .ynt.^ 
in said fir$t stpn-On ypcrssage. thereby creating a reviW fi rst sien-on m^ sage. and fhrwarrtinp 
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saiq revised fim sign-on ^es sa^e from . s a id , ^ er machine tn said fir<^ .e^mrP legacy hn^ 

45 applicalion : and 

4 6 computer-readable program code means for processing a second sign-on during said 

4 7 secure session, without requiring estafalishment of a new secure session between said client 

4 8 machine and said server machine, using a second digital certificate that wjpresents a second 

4 9 identity, further comprisitig: 

^ ^ computer-readable program code means for receiving a second sign-on request, at 

51 said server machine from said client machine, wherein: (1) said second sign-on request identifies 

52 a second secure legacy host application to which said second sign-on is requested; (2) said 

5 3 second sign-<>n request includes said second digital certificate, or a second certificate reference 
54 that references said second digital certificate, for said second identity; (3) said second secure 

5 5 legacy host application may be identicaJ to said first secure legacy host application; and (4) said 

5 6 second identity is for a second user, wherein said second user may be identical to said user; 

^ ^ computer-readable program code means for passing said second digital certificate 

58 or said second certificate reference from said server machine to said host access security system; 

^ ^ computer-readable program code means, operable in said host access security 

6 0 system, for authenticating said second identity using said passed second digital certificate or a 
6 1 second retrieved certificate v/bich is retrieved using said second certificate refemnce; 

computer-readable program code means, operable in said host access security 

63 system, for using said passed second digital certificate or said second retrieved certificate to 

6 4 locate second access credentials for said second user; 

^ ^ computer-readable program code means, operable in said host access security 
Serial No. 09/619,912 ^ Docket RSW9-2000-0081 -US 1 
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6 6 system, for accessing a second stored passwoitJ cr generating a second password substitute 
67 representing said second located credentials; 

computer-readable program code means, operable in said host access security 

69 system, for muming said second stored password or second generated password substimte to 

7 0 said server machine, along with a second user identifier corresponding to said second located 
7 1 credentials; and 

^ ^ oompnter-readable program code means, operable in said server machine, for 

7 3 using said returned second password or second password substitute and saj d returned second usi 

7 4 identifier to transparently complete said second stgn-on, on behalf of said second user of said 

7 5 client machine, to said second secure legacy host application executing at said host system. 

1 Claim 2 (previously presented): The computer program product as claimed in Claim 1 , wherein 

2 said digital certificate and said second digital certificate are X.509 certificates and said digital 

3 certificate reference and second certificate reference are references to an X.509 certificate. 

1 Claim 3 (original): The computer program product as claimed in Claim 1, wherein said 

2 communication protocol is a 3270 emulation protocol. 

1 Claim 4 (original): The computer program product as claimed in Claim 1, wherein said 

2 communicatioa protocol is a 5250 emulation protocol. 

1 Claim 5 (origina]): The computer program product as claimed in Claim I , wherein said 

Serial No. 09/619,912 .5. Docket RSW9-2000^008UUS1 
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10 



commumcation protocol is a Virtual Tenninal protocol. 



Claim 6 (original): Tlie computer program product as claimed in Claim 3, wherein said host 



2 access 



security system is a Resource Access Control Facilily (RACF) system. 



1 Claim 7 (previously presented): The computer program pioduct as claimed in Claim 1, wherein 

2 said computer-readable program code means for processing said second sign-on further 
comprises computer-readable program code means for storing said second digital certificate at 

4 said server machine. 

Claim 8 (canceled) 

1 Claim 9 (currently amended); A system for enabling an identity change during a certificate- 

2 based host access session, comprising: 

3 means for processing a iit^ sign-on during a secure session using a digital certificate, 

4 further comprising: 

5 means for establishing said secure session from a client machine to a server 

6 machine using said digital certificate, wherein said digital certtficatfi i^piesents an identity of said 

7 client machine or a user thereof; 

8 means for storing said digital certificate or a reference thereto at said server 

9 machine: 



means for establishing a session from said server machine to a host system using a 
Serial No. 09/619,912 ^. Docket RSW9^2000-008MJS1 
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1 1 legacy host comnrnnication protocol, responsive to receiving, at said server machine, a first gign- 

12 on request from said client machine, wherein said first sign-on i^xiest identifies a first secure 

13 legacy host application to which said first sign^n is requested; 

^ ^'^^ passing said stored digital certificate or said reference &om said server 

1 5 machine to a host access security system; 

^ ^ means, operable in said host access security system, for authenticating said 

1 7 identity using said passed digital certificate or a retrieved certificate which is retrieved using said 

1 8 reference; 

^ ^ means, operable in said host access security system, for using said passed or 

2 0 retrieved digital certificate to locate access credentials for said user; 

^ ^ means, operable in said host access security system, for accessing a stored 

2 2 password or generating a password substitute representing said located credentials; 

^ 3 means, operable in said host access security system, for returning said stored 

2 4 password or generated password substitute to said server machine, along with a first user 

2 5 identifier corresponding to said located credentials; 

means for requestinf^ by .«: aid first secure legacv hos ^ t app h'catlnn ^ testx>nsive to 
s aid means for est abUshing said sessi o n, fi rst sign^n information for said user: and 

means for re^pnding to said request f or first sign-on information bv sending^ 
jirst sign-on message with t>1aceholdflT s y ntax from sajd client machine to said se rver tnaelyitie, 
^0 said placeholder syntax retyresentine a us e r identificatinii and a password of said user, whereiti 

- sgj - ct user id^tification an d ^aid passwo rd are ejn>ected in said firat signHon m essage bv said fir^^ t 
32 secure legacy hoRt app licatifin- anH 
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operable in said server machine, for iisir»g said returned password or 

34 password substitute and said r^ed first user identifier to Uansparently complete said first sign- 

35 on, on behalf of said user of said client machina. to said iarst secure legacy host application 

3 e executing at said host system b^ substituting said refaimed f^r^ user identffirr and said returned 

password or password suhstituTe for 5taid p T^^nPh oMer svnta>t in sa id fit^ sign-nn m^^^^^, 

^® Thereby creating a revised first sign^n mes s age, and forwarding said revised first sign-on 

3^ messaj;^ fiom said server machine to sai d first secure legacy host application: : and 

^ ^ means for processing a second sign-on during said secure session, without requiring 

4 1 establishment of a new secure session between said client machine and said server machine, 

4 2 using a second digital certificate that represents a second identity, further comprising: 

^ ^ means for receiving a second sign-on request, at said server machine from said 

4 4 client machine, wherein: (1) said second sign-on request identifies a second secure legacy host 

4 5 application to wiiich said second sign-on is requested; (2) said second sign-on request includes 

4 6 said second digital certificate, or a second certificate reference that references said second digital 

4 7 certificate, for said second identity; (3) said second secure legacy host application may be 

4 8 identical to said fJrst secure legacy host application; and (4) sdd second identity is for a second 

4 9 user, wherein said second user may be identical to said user, 

^ ^ means for passing said second digital certificate or said second certificate 

5 1 reference fix)m said server machine to said host access security system; 

^ ^ means, operable in said host access security system, for authenticating said second 

5 3 identity using said passed second digital certificate or a second retrieved certificate which is 
5 4 retrieved using said second certificate reference; 

Serial No, 09/619,912 .g- Docket RSW9.2000-008 UUS t 
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55 



means, operable in said hast access security system, for using said parsed second 
5 6 digital certificate or said second retrieved certificalc to locate second access credentials for said 
5 7 second user; 



58 
59 



means, operable in said host access security system, for accessijn^ a second stored 
password or generating a second password substitute representing said second located 
60 credentials; 

^ operable in said host access security system, for returning said second 

62 stored password or second generated password substitute to said server machine, along with a 
6 3 second user identifier corresponding to said second located credentials; and 
^ ^ means, operable m said server machine, for using said returned second passwotti 

65 or second password substitute and said returned second user identi6er to transparently complete 

66 said second sign-on, on behalf of said second user of said client machine, to said second secure 
6 7 legacy host application executing at said host system. 

1 Claim 1 0 (previously presented); The system as claimed in Claim 9, wherein said digital 

2 certificate and said second digital certificate are X.509 certificates and said digital certificate 

3 reference and second certificate reference are references to an X.SO^ certificate. 

1 Claim 1 1 (original): The system as claimed in Claim 9, wherein said communication protocol is 

2 a 3270 emulation protocol 

1 Claim 12 (original): The system as claimed in Claim 1 1 , wherein said host access security 
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2 system is a Resource Access Control Facility (RACF) system. 

1 Claim 13 (previously presented): The s^rstem as claitiied in Claim 9, wherein said means for 

2 processing said second sign-on fijitber comprises means for storing said second digital certificate 

3 at said server machine. 

Claim 14 (canceled) 

1 Claim 15 (currently amended): A method for enabling an identity change during a certificate- 

2 based host access session^ comprising the steps of: 

3 processing a first sign-on during a secure session using a digital certificate, fbrther 

4 comprising the steps of: 

5 establishmg said secure session firom a client machine to a server machine using 

6 said digital certificate, wherein said digital certificate represents an identity of said client 

7 machine or a user thereof; 

8 storing said digital certificate or a reference thereto at said server machine; 

9 establishing a session from said server machine to a host system usii^ a legacy 

1 0 host communication protocol, responsive to receiving, at said server machine, a first sign-on 

1 1 request fiiom said client machine, wherein said first sign-on request identifies a first secure legacy 

12 host application to which said first sign-on is requested; 

^ passing said stored digital certificate or said reference fix)m said server machine to 

14 a host access security system; 

Serial No. 09/619,912 .10- DocketRSW9-2000-0081-USI 
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Buthenticating, by said host access security system, said Tdentity using said passed 
digital certificate or a i^trieved certificate which is retrieved using said reference; 

using, by said host access security system, said passed or retrieved digital 
1 8 certificate to locate access credentials for said user; 

^ ^ accessing, by said host access security system, a stored password or generating a 

password substitute representing said located credentials; 

returning, by said host access security system, said stor^ password or generated 
password substitute to said server machine, along with a first user identifier con^sponding to 



20 
21 
22 

2 3 said located credentials: 



requesting K satrf first smire TB^nrv h^.f ^rr lication- t^.p nn.w. 
cQi gputer-readablc p m ,mtn r<vf. mean, for e^aNi.hfn. said ^..in. »-^ .o^ j.fnrm.tl.. 
26 for said user^ anH 



re sponding to said request for first si^Tn-nx. Itif ^ ation bv sending ^ fit^ 



sign-on 



me^^ ^ placpWri^ ^tax frpn. c l ient m .chm. t» u^„, .^-^ 

Placeholder ^t.^ nrr ^^ yntinR a u^r irt.^tifin,tion and « .^..^^ ^^saij „«t ,f,f. 
^ identification s«f d p.. ^^d ar. in said fim .ic 

^1 secure legac y host anp liM^nn-, a.,^ 

"^'"^ by ^idservermaahine, said nstumed password or passwonj substitute and 
said retumed first us«- identifier to transparently complete said fast sign^n, on behalf of said 

user of said client machine, to said first sceurc legacy host application executbg at saidto 
system by sub^tuti, , , ,id n-„.n,ed fit^u^er identifier .nH ■. .H p„,„^. ,„, 

^ '^^^fefo^^i<'n'HC.h oM> T^ ^ n^msaidfir.t..-c -rn..,, 
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42 
43 
44 
45 
46 
47 



s^^-o" ni<^s.sasc. foTwarHfng said mvi.eH firs t 5iim^« m..^^ ^ fom said .erv^ 
Piachine to said first secure i ggacv host ap p1iV^finn>- and 
3 9 processing a second sign-on during said secure session, without rcquiring establishment 

40 of a new secure session between said client machine and said server machine, using a second 

4 1 digital certificate thai represents a second identity, fiirther cotnprising the steps of: 
receiving a second sign-on request, at said server machine fiom said client 

machine, wherein: (T) said second sign-on request identifies a second secure legacy host 
application to which said second sign-on is requested; (2) said second sign-on request includes 
said second digital certificate, or a second certificate reference that references said second digital 
certificate, for said second Identity; (3) said second secure legacy host apphcation may be 
identical to said first secure legacy host application; and (4) said second identity is for a second 

4 8 user, wherein said second user may be identical to said user; 

^ ^ passing said second digital certificate or said second certificate reference from 

said server machine to said host access security system; 

authenticating, by said host access security system, said second identity usitig said 
52 passed second digital certificate or a second retrieved certificate which is retrieved using said 

5 3 second certificate referen ce; 
using, by said host access security system, said passed second digital certificate or 

said second retrieved certificate to Jocate second access credentials for said second user; 

accessing, by said host access security system, a second stot^ password or 
generaHng a second password substitute representing said second located credentials; 

returrung, by said host acce!;s security system, said second stored password or 
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63 



1 



1 
2 



second generated password sabstitute to said server machine, along with a second identifier 

corresponding to said second located credentials; and 

using, by said server machine, said returned second password or second password 
substitute and said returned second user identifier to transparently complete said second sign^n, 
on behalf of said second user of said client machine, to said second secut^ legacy host 



6 4 ^plication executing at said host system. 



Claim 16 (previously presented): The method as claimed in Claim 1 5, when^in said digital 
certificate and said second digital certificate ar^ X.509 certificates and said digital certificate 
refcremc and second certificate reference are rcfei^ces to an X.509 certificate. 



Claim 17(originaI): Tl,e method as claimed in Claim 15, wherein said communication protocol 
2 is a 3270 emulation protocol. 



Claim 18 (original): The method as ciahned in Claim 17, wherein said host access security 
system is a Resource Access Control Facility (RACF) system. 



Claim 19 (previously presented): THe method as claimed in Claim 15, wherein said step of 
processing said second sign-on further comprises the step of storing said second digital certificate 



1 
2 

3 at said server machine. 



Claim 20 (canceled) 
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1 Claim 2 1 (cuirently amended): The computer ptx»gram product as claimed in Claim 1 , wherein: 

2 said computer-readable program code means for processing said second sign-on fiirther 

3 comprises computer-readable program code means for receiving, at said server machine, a 

4 second sign-on message sent from said client machine, wherein said second sign-on message has 

5 pfac«diobicrs place^pjder syntax representing a user identification of said second user and a 

6 password of said second user, wherein said user ^r atification of said second user and said 
password of said second aser are exp ected i n said second sign-on message bv said second seniT^ 

S legacy host applica^ onf and 

9 said computer-readable program code means for using said returned second password or 

second password substitute and said returned second user identifier to transparently complete 
1 1 said second sign-on further comprises: 

computer-readable program code means fw substituting said returned second user 

1 3 identifier and said returned second password or second password substitute for said plauLholJtis 

1 4 Ela ceholdersynt^ in said second sign-on message, thereby creating a revised second sign^n 

15 message; and 

computer-readable program code means for forwarding said revised second sign- 
on message fiom said server machine to said second secure legacy host application. 



10 



16 
17 



1 



Claim 22 (previously presented); The computer program product according to Claim 1 , wherein 

2 said second signon request includes information usable as proof that said second user owns said 

3 second digital certificate. 
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1 C^"'" 23 (previously presented): The comjraterprogrampTOdTictacco^^ 

2 said proof further comprises a random seed value and a sequence number concatenated thereto V 

3 said client machine to detect replay attacks, wherein said random seed value was previously sent 

4 ftom said server machine to said client machine. 

1 Claim 24 (previously presented): Hie computer program product according to Claim 23. vrfierein 

2 said identification of said second secure legacy host applicaBpn is also concatenated to said 

3 random seed value. 

1 Claim 25 (previously presented): The computer program product according to Claim 23, wherein 

2 a digital signature computed using a private key associated with said second digital certificate is 

3 included in said second sign-on request, said digital signature covering said random seed value 

4 and said concatenated sequence number. 

1 Claim 26 (previously presented): The computer ptognun product according to Claim 24, wherein 

2 a digital signatute computed using a private key associated with said second. digital certificate is 

3 included in said second sign-on request, said digital signature covering said random seed value. 

4 said concatenated sequence number, and said concatenated identification of said second secure 

5 legacy host application. 

1 Claim 27 (currently amended): The system as claimed in Claim 9, wherein: 
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2 said means for processing said second sign-on further comprises means for receiving, at 

3 said server machine, a second sign-on message sent from said client machine, wherein said 

4 second sign-on message has plAc^h o ldfti ^ placeholder svtito representing a user identification of 

5 said second user and a password of said second use r, wherein said user identification of ^iri 
^ s^i^d user and said password pf said second user are exp eciP d in said second sign-nn 

hv said second secure le gacy host ap plirarinn- jw^ 

8 said means for using said returned second password or second password substitute and 

9 said returned second user identifier to transparently complete said second sign-on further 
10 comprises: 

■^■^ '"^^"s for substituting said returned second user identifier and said returned 

12 second password or second password substitute for said pUcthulJus placeholder svnt^Y in said 

1 3 second sign-on message, thereby creating a revised second sign-on message; and 

^ for forwarding said revised second sign-on message irom said server 

1 5 machine to said second secure legacy host application. 



1 Claim 28 (currently amended): The method as claimed in Claim 15, wherein: 

2 said step of processing said second sign-on further comprises the step of receiving, at said 

3 server tnachine, a second signnon message sent from said client machine, wherein said second 
sign-on message has plau ^l i u ld cis placeholder i;vnt»v r^^..nWng a user identification of said 
second user and a password of said second user, wherein said user identific^nn of said second 

and said password of^i^ second aser are exnected in ^^n d siim-on m^..^. Ky ^--^ 

second secure iRpary |ir.<!t ^ ppUcatioTi; atlfT 



Serial No. 09/619,912 .I5. 



Docket RSW9-2OO0-008MJS1 



PAGE IS/26' RCVD AT 12I1D/20M 1t:03:1ZAM [Eastern Standard Timel'Sm^ 



12/10/2004 11:82 4079332633 



FAX 



PAGE 19 



8 said step of using said returned second password or second password substitute and said 

9 returned second user identifier to transparently complete said second sign-on further comprises 
10 the steps of: 

substituring said returned second user identifier and said returned second 

12 password or second password substitute for said placch o lJcxs placeholder i„ said second 

13 sign-on message, thereby creating a revised second sign-on message; and 

^ ^ forwarding said revised second sign-on message ftom said server machine to said 

1 5 second secure legacy host application. 

1 Claim 29 (currently amended): A computer-implemented method for enabling an identity change 

2 during a certificate-based host access session, comprising steps of: 

3 establishing a secure session between a client and a server using a digital certificate 

4 Owned by a user of said client; 

5 remembering said digital certificate at said server; 

6 completing a first sign-on to a host appUcation, by said server on behalf of said user, 

7 responsive to receiving an asynchronous sign-on ttsquest from said client that identifies said host 

8 application, further comprising the steps of: 

9 using said remembered digital certificate to authenticate said user to a host access 
1 0 security component; 

^ ^ '^^^^ authenticated, locating, by said host access security component, 

1 2 access credentiats of said user; 

^ ^ creating, by said host access security component, a passticket that represents said 
Serial No. 09/619,912 .,7. Docket RSW9-2000-0081-I JSl 

PAGE 19/26 * RCVD AT 12/10/2004 1 1:03:17 AM [Eastern Standard Time] 



12/18/2004 11:02 4079332S33 



FAX 



PAGE 28 



17 
18 
19 



14 located access credentials; 

returning said passticket frotn said host access security component to said server, 
1 6 along with a user identifier associated with said located access credemials; and 

insertiTig, by said server, said passticket and said user identifier into a log-on 
message in place of placeholders tfacrcfer for a user nasswntd .nH ...^ ^H^^-fj^, ^hen said 
log-on message is received at said server from said client, thereby creating a revised log^on 
^ ° "message Jn a foryn expected hy sfiid host Rpplir^tigg. that is then sent from said server to sign 
2 1 said user on to said host application; and 

completing a second sign-on to a second host application, by said server on behalf of a 
second user, responsive to receiving a second asynchronous sign^on request from satd client that 
identifies said second host application, wherein said second host application may be identical to 

25 said host application and said second user may be identical to said user, further comprising the 

26 steps of: 
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usmg a new digital certificate and proof therefor to authenticate said second user 
to said host access security component, wherein said new digital certificate and said proof 
therefor are included in said second asynchronous sign-on request; 

if said second user i$ authenticated, locating, by said host access security 
3 1 component, access credentials of said second user; 

creating, by said host access security component, a second passticket that 
33 represents said located access credentials of said second user; 

returning sajd second passticket from said host access security component to said 
35 server, along with a second user identifier associated with said located access credentials of said 
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3 6 second user; and 

^ ^ inserting, by said server, said returned second passticket and said returned second 

user identifier into a second Jog-on message in place of placeholders the refor for a second tidier 
password and said second Idfintifirr,, when said second log-on message is received at said 
server from said client, thereby creating a revised second log-on messag e, in said form e^ ^.^ 
^ ^ feL ^d second hQSt appTicatfnn that is then sent from said server to sign said second user on to 
4 2 said second host application. 
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1 Claim 30 (new): A method of providing identity change during a secure session, comprising 

2 steps of: 

upon receiving a firet log-on message containing placeholder syntax from a client during 
a secure session, substituting therefor a first user identifier and a fct password substitute 
provided by a host access security system upon authentication of user credentials associated with 
the client and with a user thereof, thereby creating a revised fim log^n message in a form 
expected by a first legacy host application, the first password substitute representing access 
privileges associated with the user credentials for the first legacy host application; 

forwarding the revised first Jog^on message to the first legacy host application for 

1 0 completing a secure sign-on thereto; 

1 1 upon receiving a second logK>n message containing placeholder syntax ftom the client 

12 during the secui^ session, substituting therefor a second user identifier and a second passwoid 

1 3 substi tute provided by the host access security system upon authentication of second user 

14 credentials associated with the client and with the user therefor a different user thereof, thereby 
Serial No. 09/619.912 .19, _ Docket RSW9-2000-0081-US1 
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1 5 creating a revised second log-on message in a form ^pect^ by a second legacy host application, 

1 6 the second password substitute representing access privileges associated with the second user 

1 7 credentials for the second legacy host application, wherein the second legacy host application 

1 8 may be identical to the first legacy host application; and 

1 9 forwarding the revised second log-on message to the second legacy host application for 
2 0 completing a secure sign-on thereto. 
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